Prevent ecommerce fraud 2023

Combining identity verification solutions for marketplace websites

Every growing marketplace goes through stages as they make the journey from start-up to a profitable, enterprise company. Naturally, each of those stages brings with it different requirements for risk protection. At first, a marketplace’s emphasis is going to be on onboarding users. Typically, the focus and energy will be on onboarding suppliers, appreciating that the demand side will grow more gradually over time. Because they are starting off small, it’s not uncommon for marketplace companies to hold off on investing too heavily in fraud management and identity verification. There is a common belief that only a minimal risk toolkit is needed until a business scales which is, more often than not, built with in-house signals. This toolkit generally includes basic email and phone verification using a one-time passcode (OTP).

Of course, once a platform begins to scale and user numbers start to double and triple and quadruple (always a clear metric of success!) so too do the risks associated with doing business in a global digital economy. It is now more vital than ever before that a marketplace start considering how to best protect not only their new users from fraudsters but also their evolving company from account abuse. However, to maintain its user base—and indeed encourage further growth—the marketplace needs to reduce risk without negatively impacting the customer experience.

Knowing how to strike the right balance between fighting fraud and providing a seamless customer experience is vital for today’s online marketplaces, especially those still in the growth stage.  This is where a robust identity verification solution and fraud management platform comes in. Below, let’s outline a selection of features to consider when building out a risk toolkit for today’s digital economy:

Internet Protocol (IP) address analysis and device identification for identity verification

Tools that enable companies to identify the IP address and the device identification of the user.

  • IP address: Generally used to detect proxy risk. An example is if a user’s billing address is thousands of miles from the IP address they’re logging in from.
  • Device ID: Constructed based on attributes of the phone, tablet or computer which can then be associated with a specific person or account.

Checking for these signals can effectively help companies separate trusted behaviors from suspicious actors. One way to look at device identification (and the issues associated with it) is to appreciate the trade-off between specificity and persistence. In other words, a specific identification signal will identify one single (specific) device.  On the other hand, a persistent identification signal will not likely change, even if device settings change.

To best identify a device, one deposits a cookie that contains information regarding when it was created, along with user details, on a user’s machine when they land on a site. Each cookie is unique, which enables device-specificity. However, these cookies can be erased easily– or opted out of – very easily.

Meanwhile, when a user connects online, their IP address is suddenly known, indicating where on the internet the user is coming from. The address is a string of numbers separated by periods, like this: Similarly, to the above device signatures, IP addresses are useful identity verification signals between online sessions. However, unfortunately, these signals aren’t as effective for targeted schemes; they’re much too broad. For example, everyone connecting to a website from NYU servers will have the same IP address. Moreover, bad actors can quite easily obscure their true IP address by using proxies or VPNs, etc. For this reason, IP address analysis should be used in tandem with other signals to best detect fraudulent behavior.

Data validation for identity verification

These services enrich sign-up data provided by users to assess risk. They work by validating that the data is accurate and verifying users by identifying linkages between data points (such as name-to-phone and name-to-email).

To get the most benefit from a data validation and verification service, look for these features:

  • Flexible search types
  • Comprehensive identity data coverage
  • Global data
  • Speed of search response

Two-factor authentication for identity verification

Generally, one of the first fraud deterrents a marketplace puts in place for identity verification and fraud mitigation is two-factor authentication (2FA). This process requires a customer to use a secondary communication platform to verify the customer has possession of the contact point they claimed. This usually takes the form of a text message code or a link in an email.

Commonly 2FA requires a user to have two out of three kinds of credentials to access an account. These are the following:

  • Something you know or can be given (this is commonly a one-time PIN)
  • Something you have (such as a secure ID card or a security key)
  • Something you are (biometric factors such as a fingerprint, retinal scan or voice print)

Unfortunately, 2FA can be skirted with the use of burner phones and throw-away emails. And remember our mention of cookies above? Bad actors have been known to use malware that targets data in browsers and steals cookies. This then gives them access to other browsers, web servers, accounts and even files.

Furthermore, many data theft schemes actually bypass 2FA completely by cleverly scamming customers. Just think of all the phishing attempts that have been made by scammers pretending to be contacting the bank, or a government agency, etc.

One way to strengthen 2FA identity verification processes is to mandate stronger passwords and encourage the use of password managers. More importantly, we should all be moving away from text-based (SMS) authentication in favor of something much more secure.

KYC/AML for identity verification

Know your customer (KYC) and anti-money laundering (AML) checks are required for regulatory compliance when dealing with financial payments and transactions. These checks verify that the customer’s name, birthday, address and Social Security number all match—but this data can easily be purchased on the black market, so additional verification is required.

With KYC/AML checks, marketplaces also need to balance the cost and friction to users with their effectiveness in improving the trust and safety of their platform.

Document or selfie for identity verification

Marketplaces can also require customers to take a selfie which is then matched against a driver’s license or other government paperwork in order to verify their identity.

Naturally, while this is a secure tool, it’s also costly and adds significant friction for the user.

Background and criminal checks

Some marketplaces require a background or criminal check, particularly for suppliers of services like house cleaning or childcare. This is generally a standard criminal background report that searches county databases and is typically done via API.

The turnaround time for a background check can be hours or days, and the price can be unrealistic for large-scale growth on the demand side. Additionally, lightweight verification is still needed for the demand side.

Building your risk toolkit for identity verification

Any one of these solutions isn’t enough to effectively fight fraud on a marketplace platform, which is why growing marketplace companies need to create a toolkit that works together to meet their objectives. Let us guide you!

Learn how Ekata’s data validation and identity verification services work with the other aspects of your risk toolkit to help you decrease fraudulent sign-ups.


Related content